From patchwork Sat Feb 25 00:41:50 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 143004
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id B4E11B6FA7
	for <patchwork-incoming@ozlabs.org>;
	Sat, 25 Feb 2012 11:41:57 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757035Ab2BYAlz (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 24 Feb 2012 19:41:55 -0500
Received: from mail.us.es ([193.147.175.20]:43544 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755396Ab2BYAly (ORCPT <rfc822;netdev@vger.kernel.org>);
	Fri, 24 Feb 2012 19:41:54 -0500
Received: (qmail 6270 invoked from network); 25 Feb 2012 01:41:52 +0100
Received: from unknown (HELO us.es) (192.168.2.12)
	by us.es with SMTP; 25 Feb 2012 01:41:52 +0100
Received: (qmail 21065 invoked by uid 507); 25 Feb 2012 00:41:51 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on antivirus2
X-Spam-Level: 
X-Spam-Status: No, score=-99.0 required=7.5 tests=BAYES_50,SPF_HELO_FAIL,
	TO_NO_BRKTS_DIRECT, USER_IN_WHITELIST autolearn=disabled version=3.3.1
Received: from 127.0.0.1 by antivirus2 (envelope-from <pneira@us.es>,
	uid 501) with qmail-scanner-2.08 (clamdscan: 0.97.3/14525.  
	Clear:RC:1(127.0.0.1):.
	Processed in 0.666257 secs); 25 Feb 2012 00:41:51 -0000
Received: from unknown (HELO antivirus2) (127.0.0.1)
	by us.es with SMTP; 25 Feb 2012 00:41:51 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus2 (F-Secure/fsigk_smtp/407/antivirus2);
	Sat, 25 Feb 2012 01:41:51 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus2)
Received: (qmail 12222 invoked from network); 25 Feb 2012 01:41:50 +0100
Received: from 1984.lsi.us.es (HELO us.es) (1984lsi@150.214.188.80)
	by us.es with AES128-SHA encrypted SMTP; 25 Feb 2012 01:41:50 +0100
Date: Sat, 25 Feb 2012 01:41:50 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH 3/3] netfilter: ctnetlink: support kernel-space dump
	filtering by ctmark
Message-ID: <20120225004150.GA13494@1984>
References: <1330129817-28199-1-git-send-email-pablo@netfilter.org>
	<1330129817-28199-4-git-send-email-pablo@netfilter.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1330129817-28199-4-git-send-email-pablo@netfilter.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Sat, Feb 25, 2012 at 01:30:17AM +0100, pablo@netfilter.org wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> This patch adds CTA_MARK_MASK which, together with CTA_MARK, allows
> you to selectively send conntrack entries to user-space by
> returning those that match mark & mask.
> 
> With this, we can save cycles in the building and the parsing of
> the entries that may be later on filtered out in user-space by using
> the ctmark & mask.

Minor glitch in this patch. One ifdef was missing that would spot an
unused variable warning if CONFIG_NF_CONNTRACK_MARK is disabled.

New patch for ctnetlink attached.

From 604bb5f7385bcde5be0e0a5f3f52fa05ef21d3bc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 25 Feb 2012 00:48:38 +0100
Subject: [PATCH 3/3] netfilter: ctnetlink: support kernel-space dump
 filtering by ctmark

This patch adds CTA_MARK_MASK which, together with CTA_MARK, allows
you to selectively send conntrack entries to user-space by
returning those that match mark & mask.

With this, we can save cycles in the building and the parsing of
the entries that may be later on filtered out in user-space by using
the ctmark & mask.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/netfilter/nf_conntrack_netlink.c          |   35 ++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletions(-)

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 5ec1abc..e58e4b9 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -43,6 +43,7 @@ enum ctattr_type {
 	CTA_ZONE,
 	CTA_SECCTX,
 	CTA_TIMESTAMP,
+	CTA_MARK_MASK,
 	__CTA_MAX
 };
 #define CTA_MAX (__CTA_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dd4aaba..800ec17 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -691,9 +691,18 @@ static int ctnetlink_done(struct netlink_callback *cb)
 {
 	if (cb->args[1])
 		nf_ct_put((struct nf_conn *)cb->args[1]);
+	if (cb->data)
+		kfree(cb->data);
 	return 0;
 }
 
+struct ctnetlink_dump_filter {
+	struct {
+		u_int32_t val;
+		u_int32_t mask;
+	} mark;
+};
+
 static int
 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 {
@@ -703,7 +712,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 	struct hlist_nulls_node *n;
 	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
 	u_int8_t l3proto = nfmsg->nfgen_family;
-
+#ifdef CONFIG_NF_CONNTRACK_MARK
+	const struct ctnetlink_dump_filter *filter = cb->data;
+#endif
 	spin_lock_bh(&nf_conntrack_lock);
 	last = (struct nf_conn *)cb->args[1];
 	for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
@@ -723,6 +734,12 @@ restart:
 					continue;
 				cb->args[1] = 0;
 			}
+#ifdef CONFIG_NF_CONNTRACK_MARK
+			if (filter && !((ct->mark & filter->mark.mask) ==
+					filter->mark.val)) {
+				continue;
+			}
+#endif
 			if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
 						cb->nlh->nlmsg_seq,
 						NFNL_MSG_TYPE(
@@ -894,6 +911,7 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
 	[CTA_NAT_DST]		= { .type = NLA_NESTED },
 	[CTA_TUPLE_MASTER]	= { .type = NLA_NESTED },
 	[CTA_ZONE]		= { .type = NLA_U16 },
+	[CTA_MARK_MASK]		= { .type = NLA_U32 },
 };
 
 static int
@@ -982,6 +1000,21 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
 			.dump = ctnetlink_dump_table,
 			.done = ctnetlink_done,
 		};
+#ifdef CONFIG_NF_CONNTRACK_MARK
+		if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
+			struct ctnetlink_dump_filter *filter;
+
+			filter = kzalloc(sizeof(struct ctnetlink_dump_filter),
+					 GFP_ATOMIC);
+			if (filter == NULL)
+				return -ENOMEM;
+
+			filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
+			filter->mark.mask =
+				ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
+			c.data = filter;
+		}
+#endif
 		return netlink_dump_start(ctnl, skb, nlh, &c);
 	}
 
-- 
1.7.7.3